The
Firewall Settings > Flood Protection
page lets you view statistics on TCP Traffic through the security appliance and manage TCP traffic settings. The page is divided into four sections
The TCP Settings section allows you to:
|
|
•
|
Default TCP Connection Timeout
– The default time assigned to Access Rules for TCP traffic. If a TCP session is active for a period in excess of this setting, the TCP connection will be cleared by the SonicWALL. The default value is 5 minutes, the minimum value is 1 minute, and the maximum value is 999 minutes. Note: Setting excessively long connection time-outs will slow the reclamation of stale resources, and in extreme cases could lead to exhaustion of the connection cache.
|
|
|
•
|
Maximum Segment Lifetime (seconds)
– Determines the number of seconds that any TCP packet is valid before it expires. This setting is also used to determine the amount of time (calculated as twice the Maximum Segment Lifetime, or 2MSL) that an actively closed TCP connection remains in the TIME_WAIT state to ensure that the proper FIN / ACK exchange has occurred to cleanly close the TCP connection.
|
SYN/RST/FIN Flood protection helps to protect hosts behind the SonicWALL from Denial of
Service (DoS) or Distributed DoS attacks that attempt to consume the host’s available resources by creating one of the following attack mechanisms:
The following sections detail some SYN Flood protection methods:
The method of SYN flood protection employed starting with SonicOS Enhanced uses stateless
SYN Cookies, which increase reliability of SYN Flood detection, and also improves overall resource utilization on the SonicWALL. With stateless SYN Cookies, the SonicWALL does not have to maintain state on half-opened connections. Instead, it uses a cryptographic calculation (rather than randomness) to arrive at SEQr.
SonicOS Enhanced provides several protections against SYN Floods generated from two
different environments: trusted (internal) or untrusted (external) networks. Attacks from untrusted
WAN networks usually occur on one or more servers protected by the firewall. Attacks from the trusted
LAN networks occur as a result of a virus infection inside one or more of the trusted networks, generating attacks on one or more local or remote hosts.
To provide a firewall defense to both attack scenarios, SonicOS Enhanced provides two
separate SYN Flood protection mechanisms on two different layers. Each gathers and displays SYN Flood statistics and generates log messages for significant SYN Flood events.
|
|
•
|
SYN Proxy (Layer 3)
– This mechanism shields servers inside the trusted network from WAN-based SYN flood attacks, using a SYN Proxy implementation to verify the WAN clients before forwarding their connection requests to the protected server. You can enable SYN Proxy only on WAN interfaces.
|
|
|
•
|
SYN Blacklisting (Layer 2)
– This mechanism blocks specific devices from generating or forwarding SYN flood attacks. You can enable SYN Blacklisting on any interface.
|
The internal architecture of both SYN Flood protection mechanisms is based on a single list of
Ethernet addresses that are the most active devices sending initial SYN packets to the firewall. This list is called a SYN watchlist
. Because this list contains Ethernet addresses, the device tracks all SYN traffic based on the address of the device forwarding the SYN packet, without considering the IP source or destination address.
Each watchlist entry contains a value called a
hit count
. The hit count value increments when the device receives the an initial SYN packet from a corresponding device. The hit count decrements when the TCP three-way handshake completes. The hit count for any particular device generally equals the number of half-open connections pending since the last time the device reset the hit count. The device default for resetting a hit count is once a second.
The thresholds for logging, SYN Proxy, and SYN Blacklisting are all compared to the hit count
values when determining if a log message or state change is necessary. When a SYN Flood attack occurs, the number of pending half-open connections from the device forwarding the attacking packets increases substantially because of the spoofed connection attempts. When you set the attack thresholds correctly, normal traffic flow produces few attack warnings, but the same thresholds detect and deflect attacks before they result in serious network degradation.
A typical TCP handshake (simplified) begins with an initiator sending a TCP SYN packet with
a 32-bit sequence (SEQi) number. The responder then sends a SYN/ACK packet acknowledging the received sequence by sending an ACK equal to SEQi+1 and a random, 32-bit sequence number (SEQr). The responder also maintains state awaiting an ACK from the initiator. The initiator’s ACK packet should contain the next sequence (SEQi+1) along with an acknowledgment of the sequence it received from the responder (by sending an ACK equal to SEQr+1). The exchange looks as follows:
Because the responder has to maintain state on all half-opened TCP connections, it is possible
for memory depletion to occur if SYNs come in faster than they can be processed or cleared by the responder. A half-opened TCP connection did not transition to an established state through the completion of the three-way handshake. When the SonicWALL is between the initiator and the responder, it effectively becomes the responder, brokering, or proxying
, the TCP connection to the actual responder (private host) it is protecting.
To configure SYN Flood Protection features, go to the Layer 3 SYN Flood Protection - SYN
Proxy portion of the Firewall Settings > Flood Protection
window that appears as shown in the following figure.
A SYN Flood Protection mode is the level of protection that you can select to defend against
half-opened TCP sessions and high-frequency SYN packet transmissions. This feature enables you to set three different levels of SYN Flood Protection:
|
|
•
|
Watch and Report Possible SYN Floods
– This option enables the device to monitor SYN traffic on all interfaces on the device and to log suspected SYN flood activity that exceeds a packet count threshold. The feature does not turn on the SYN Proxy on the device so the device forwards the TCP three-way handshake without modification. This is the least invasive level of SYN Flood protection. Select this option if your network is not in a high risk environment.
|
|
|
•
|
Proxy WAN Client Connections When Attack is Suspected
– This option enables the device to enable the SYN Proxy feature on WAN interfaces when the number of incomplete connection attempts per second surpasses a specified threshold. This method ensures the device continues to process valid traffic during the attack and that performance does not degrade. Proxy mode remains enabled until all WAN SYN flood attacks stop occurring or until the device blacklists all of them using the SYN Blacklisting feature. This is the intermediate level of SYN Flood protection. Select this option if your network experiences SYN Flood attacks from internal or external sources.
|
|
|
•
|
Always Proxy WAN Client Connections
– This option sets the device to always use SYN Proxy. This method blocks all spoofed SYN packets from passing through the device. Note that this is an extreme security measure and directs the device to respond to port scans on all TCP ports because the SYN Proxy feature forces the device to respond to all TCP SYN connection attempts. This can degrade performance and can generate a false positive. Select this option only if your network is in a high risk environment.
|
The SYN Attack Threshold configuration options provide limits for SYN Flood activity before the
device drops packets. The device gathers statistics on WAN TCP connections, keeping track of the maximum and average maximum and incomplete WAN connections per second. Out of these statistics, the device suggests a value for the SYN flood threshold. Note the two options in the section:
Suggested value calculated from gathered statistics
– The suggested attack threshold based on WAN TCP connection statistics.
Attack Threshold (Incomplete Connection Attempts/Second)
– Enables you to set the threshold for the number of incomplete connection attempts per second before the device drops packets at any value between 5 and 999,999.
When the device applies a SYN Proxy to a TCP connection, it responds to the initial SYN packet
with a manufactured SYN/ACK reply, waiting for the ACK in response before forwarding the connection request to the server. Devices attacking with SYN Flood packets do not respond to the SYN/ACK reply. The firewall identifies them by their lack of this type of response and blocks their spoofed connection attempts. SYN Proxy forces the firewall to manufacture a SYN/ACK response without knowing how the server will respond to the TCP options normally provided on SYN/ACK packets.
To provide more control over the options sent to WAN clients when in SYN Proxy mode, you
can configure the following two objects:
|
|
•
|
SACK
(Selective Acknowledgment) – This parameter controls whether or not Selective ACK is enabled. With SACK enabled, a packet or series of packets can be dropped, and the received informs the sender which data has been received and where holes may exist in the data.
|
|
|
•
|
MSS
(Minimum Segment Size) – This sets the threshold for the size of TCP segments, preventing a segment that is too large to be sent to the targeted server. For example, if the server is an IPsec gateway, it may need to limit the MSS it received to provide space for IPsec headers when tunneling traffic. The firewall cannot predict the MSS value sent to the server when it responds to the SYN manufactured packet during the proxy sequence. Being able to control the size of a segment, enables you to control the manufactured MSS value sent to WAN clients.
|
The SYN Proxy Threshold region contains the following options:
|
|
•
|
All LAN/DMZ servers support the TCP SACK option
– This checkbox enables Selective ACK where a packet can be dropped and the receiving device indicates which packets it received. Enable this checkbox only when you know that all servers covered by the firewall accessed from the WAN support the SACK option.
|
|
|
•
|
Limit MSS sent to WAN clients (when connections are proxied)
– Enables you to enter the maximum Minimum Segment Size value. If you specify an override value for the default of 1460, this indicates that a segment of that size or smaller will be sent to the client in the SYN/ACK cookie. Setting this value too low can decrease performance when the SYN Proxy is always enabled. Setting this value too high can break connections if the server responds with a smaller MSS value.
|
The SYN/RST/FIN Blacklisting feature is a list that contains devices that exceeded the SYN,
RST, and FIN Blacklist attack threshold. The firewall device drops packets sent from blacklisted devices early in the packet evaluation process, enabling the firewall to handle greater amounts of these packets, providing a defense against attacks originating on local networks while also providing second-tier protection for WAN networks.
Devices cannot occur on the SYN/RST/FIN Blacklist and watchlist simultaneously. With
blacklisting enabled, the firewall removes devices exceeding the blacklist threshold from the watchlist and places them on the blacklist. Conversely, when the firewall removes a device from the blacklist, it places it back on the watchlist. Any device whose MAC address has been placed on the blacklist will be removed from it approximately three seconds after the flood emanating from that device has ended.
The SYN/RST/FIN Blacklisting region contains the following options:
|
|
•
|
Threshold for SYN/RST/FIN flood blacklisting (SYNs / Sec)
– The maximum number of SYN, RST, and FIN packets allowed per second. The default is 1,000. This value should be larger than the SYN Proxy threshold value because blacklisting attempts to thwart more vigorous local attacks or severe attacks from a WAN network.
|
|
|
–
|
Never blacklist WAN machines
– This checkbox ensures that systems on the WAN are never added to the SYN Blacklist. This option is recommended as leaving it unchecked may interrupt traffic to and from the firewall’s WAN ports.
|
|
|
–
|
Always allow SonicWALL management traffic
– This checkbox causes IP traffic from a blacklisted device targeting the firewall’s WAN IP addresses to not be filtered. This allows management traffic, and routing protocols to maintain connectivity through a blacklisted device.
|
The TCP Traffic Statistics table provides statistics on the following:
|
|
•
|
Connections Opened
– Incremented when a TCP connection initiator sends a SYN, or a TCP connection responder receives a SYN.
|
|
|
•
|
Connections Closed
– Incremented when a TCP connection is closed when both the initiator and the responder have sent a FIN and received an ACK.
|
|
|
•
|
Connections Refused
– Incremented when a RST is encountered, and the responder is in a SYN_RCVD state.
|
|
|
•
|
Connections Aborted
– Incremented when a RST is encountered, and the responder is in some state other than SYN_RCVD.
|
You can view SYN, RST and FIN Flood statistics in the lower half of the TCP Traffic Statistics
list. The following are SYN Flood statistics.